You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Krist van Besien <kr...@gmail.com> on 2009/03/31 13:16:42 UTC
Re: [users@httpd] Reverse proxy from HTTP to HTTPS or HTTPS to HTTPS
how?
On Tue, Mar 31, 2009 at 12:35 PM, anebi@iguanait.com <an...@iguanait.com> wrote:
> I know how to create a reverse proxy for HTTP -> HTTP, but i don't know
> how to do it for HTTP to HTTPS. I know there is a SSLProxyengine that i
> should activate, but probably i need to do more than these to get
> working this.
You need to enable Apache as an SSL client. This is what I wrote about
on this list last year:
Apache can't proxy to https urls out of the box. You need to do some work.
you need to add the following to your config.
# turn on SSL proxying.
SSLProxyEngine On
# to tell Apache where to find CA certificates to check remote server
certificates with:
# (You can choose yourself where you put these certificates)
SSLProxyCACertificatePath /path/to/ca/certificates.
Then in this path you need to put the CA certificate(s) used to sign
the certificate(s) used by the server(s) you communicate with. If you
want to talk to a server that uses a "self signed" certificate you
will need to put it in this dir too.
Once you've done that you need to run c_rehash in that directory.
c_rehash is part of a standard openssl distribution. c_rehash creates
hashed aliases in this dir. Apache needs these.
In order to test if everything is there you can do the following:
openssl s_client -CApath /path/to/ca/certificates -connect remoteserver:8443
if the conenction succeeds just try to do a
GET /abc/
and see if you get something. If this test is succesfull apache should work too.
Krist
--
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Reverse proxy from HTTP to HTTPS or HTTPS to
HTTPS how?
Posted by "anebi@iguanait.com" <an...@iguanait.com>.
Thanks for your reply.
I expected that i need to tell apache to use some certificates that to
use for this job. Yes we have self-signed certificates in main server
and in the internal server. So i need to take the certs from the
internal server and to put them somewhere on the main server. Then to
configure apache to use these certs for this job.
Have i understood this correctly ?
On Tue, 2009-03-31 at 13:16 +0200, Krist van Besien wrote:
> On Tue, Mar 31, 2009 at 12:35 PM, anebi@iguanait.com <an...@iguanait.com> wrote:
>
> > I know how to create a reverse proxy for HTTP -> HTTP, but i don't know
> > how to do it for HTTP to HTTPS. I know there is a SSLProxyengine that i
> > should activate, but probably i need to do more than these to get
> > working this.
>
> You need to enable Apache as an SSL client. This is what I wrote about
> on this list last year:
>
> Apache can't proxy to https urls out of the box. You need to do some work.
>
> you need to add the following to your config.
>
> # turn on SSL proxying.
> SSLProxyEngine On
>
> # to tell Apache where to find CA certificates to check remote server
> certificates with:
> # (You can choose yourself where you put these certificates)
> SSLProxyCACertificatePath /path/to/ca/certificates.
>
> Then in this path you need to put the CA certificate(s) used to sign
> the certificate(s) used by the server(s) you communicate with. If you
> want to talk to a server that uses a "self signed" certificate you
> will need to put it in this dir too.
>
> Once you've done that you need to run c_rehash in that directory.
> c_rehash is part of a standard openssl distribution. c_rehash creates
> hashed aliases in this dir. Apache needs these.
>
> In order to test if everything is there you can do the following:
>
> openssl s_client -CApath /path/to/ca/certificates -connect remoteserver:8443
>
> if the conenction succeeds just try to do a
> GET /abc/
>
> and see if you get something. If this test is succesfull apache should work too.
>
> Krist
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org